On Thu, 2006-06-01 at 11:43 +0000, [EMAIL PROTECTED] wrote: > > All this may sound a bit (very?) paranoid for a small community portal > site. The large number of comment spamming, SPAM and exploits against > phpBB sites, etc. show that some people just don't play fair. You don't > really want these people to go and write arbitrary HTML on your page. > And the potential for abuse is such that if you DO allow HTML in > postings, you have a lot of filtering to do. > > Daniel
You're going to have to filter on the server side no matter what the browser editor produces. ie. if you want to allow someone to post a link, you'll still have to filter the href of the link posted via BBCode or someone can just bypass the editor and post the code directly by not using your interface. The only surefire way, of course, is to completely disallow HTML (via quoting < characters) and just allow text. The next best thing is to use a whitelisting filter that only allows the tags you want it to allow. I have such a filter, and if there's interest I'll clean it up and post it somewhere. For now there's a prototype version at http://z.iwethey.org/forums/SourceCode/src/htmlparse.py that needs some work. It scrubs everything by default. Tags are detected and filtered for allowed markup only (eg. you can only put http:// in an href). There are some BBCode-like markup elements (a number of which are specific to my forums code only), and it's fairly trivial to add more. There's also a two-step processing system: scrubbing first, during which links and the like are converted to an interim format before being stored in the database, then a second step which takes links and converts them to actual tags according to the preferences of the user (some users like all links to open a new window, for example) just before display. Regards, -scott --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
